Recommendations attempt to raise acquisition, cyber consciousness

Jason Miller on the Federal Drive.

A new set of recommendations aims to change the entrenched federal acquisition
culture. The Defense Department and the General Services Administration made six
suggestions Jan. 23 for addressing cybersecurity issues at the very beginning of
any procurement.

The goal of the recommendations is to make the
federal procurement community more cyber conscious.

"We identified gaps in the acquisition system, and one of the gaps is we don't
often understand what the risk is in terms of cyber in the solution or deliverable
we are purchasing, and because we don't understand the risks, we make decisions
that are not informed and end up with a deliverable that doesn't meet our needs,"
said Emile Monette, GSA's senior adviser for cyber in the Office of Mission
Assurance, in an interview with Federal News Radio Wednesday. "The other gap is
the risk tolerance of the end user is not always understood by the buyer. We
really wanted to bring those two things to the forefront."

GSA and DoD led the effort to come up with recommendations as required in
President Barack Obama's cyber Executive
Order from last February.

The working group, which included the National Institute of Standards and
Technology and the Office of Federal Procurement Policy, determined areas ripe for
change based on gaps in federal procurement or based on industry best practices.

"There are a couple things here that are something that industry has been directly
calling for for years, like the requirement to purchase from original equipment
manufacturers, their authorized resellers or other trusted sources. That's a
low-hanging risk criteria that industry adopted many, many years ago in their
supply
chains to maintain the integrity of products they deliver, whether it's commercial
or the government. So we are happy to see things like that in there," said Trey
Hodgkins, the senior vice president of the public sector for the IT Alliance for
the Public Sector (ITAPS). "The other thing we suggested to the government
multiple times is that some of the acquisition practices and processes used today,
and I'll point to lowest-price, technically acceptable (LPTA) as a good example,
in certain circumstances contribute or add to the risk that this effort is
attempting to address. Seeking out and only using the lowest price as a filter or
threshold for acquiring goods and services doesn't get you the level of assurance
this exercise and other exercises are seeking in government acquisitions."

GSA and DoD held more than 40 meetings with industry
associations and others, including TechAmerica, the Professional Services Council,
the Coalition for Government Procurement, privacy companies and many others.
Hodgkins said industry's input is clear from both the draft recommendations issued
last summer and these final ones.

Developing a baseline for cyber requirements as standard clauses in all
contracts.

Developing standard definitions for cyber terms.

Developing and instituting a cyber risk management framework.

Requiring all contracts for agencies a clause that requires them to buy only
from original equipment manufacturers or authorized resellers.

Increasing government accountability for cyber risk management.

Monette said of the six, the cyber risk management framework is among the most
important of the recommendations because almost every other suggestion is
dependent on that framework.

"It's really about addressing security as the strategic issue that it is. The idea
is at the end of this, we would be building security in instead of bolting it on
and fixing field systems and things like that," he said. "One of the outcomes that
is sort of an interim step to implementing this recommendation is to define a
repeatable process for addressing cyber risk in acquisitions. We are bringing
together, blending what are traditional sourcing or procurement practices with
information security practices."

Monette said, for example, the working group could use NIST Special Publication
800-53, Rev 4 to identify which security controls apply to a particular
acquisition. Then, the committee could match that process with OFPP guidance or
Federal Acquisition Regulations clause on pricing data that would address, for
instance, when it's inappropriate to use LPTA or how you weigh source selection
criteria or performance indicators.

"We would couple those together and identify them as a baseline or as a minimum or
threshold requirement for different types of acquisitions," he said.

Recognizing, accepting risk

Monette said the working group will look through the entire procurement spend and
decide which types of acquisitions present the biggest cyber risks.